Skip to main content

Massive 'Flame' malware stealing data across the Middle East

Reserachers at Kaspersky Lab have uncovered a massive cyber threat, dubbed Flame, that is targeting "sensitive" information across the Middle East.

The malware, Kaspersky said, "might be the most sophisticated cyber weapon yet unleashed."

Once deployed, Flame can sniff network traffic, take screenshots, record audio conversations, intercept a keyboard, and more, Kaspersky said. All of this data is then available via Flame's command-and-control servers.

Iran has thus far been hardest hit by Flame, with at least 189 infections. Israel/Palestine came in second with 98, followed by Sudan (32), Syria (30), Lebanon (18), Saudi Arabia (10),and Egypt (5). Kaspersky has not identified any specific organisation that Flame is targeting.

"From the initial analysis, it looks like the creators of Flame are simply looking for any kind of intelligence - emails, documents, messages, discussions inside sensitive locations, pretty much everything," Kaspersky's Alexander Gostev wrote in a blog post. "We have not seen any specific signs indicating a particular target such as the energy industry - making us believe it's a complete attack toolkit designed for general cyber-espionage purposes."

That doesn't mean it can't evolve into something more sinister. "Such highly flexible malware can be used to deploy specific attack modules, which can target SCADA devices, ICS, critical infrastructure and so on," he continued.

The firm came across Flame after the UN's International Telecommunication Union asked Kaspersky for help in identifying malware that was deleting data across the Middle East.

"While searching for that code - nicknamed Wiper - we discovered a new malware codenamed Worm.Win32.Flame," Gostev wrote.

"Flame can easily be described as one of the most complex threats ever discovered," he added. "It's big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage."

Kaspersky said Flame is a "sophisticated attack toolkit." It is almost 20MB when fully deployed, making it extremely difficult to analyse.

"The reason why Flame is so big is because it includes many different libraries, such as for compression (zlib, libbz2, ppmd) and database manipulation (sqlite3), together with a LUA virtual machine," he said.

LUA is a programming language and is uncommon in malware. "Generally, modern malware is small and written in really compact programming languages, which make it easy to hide," Gostev wrote. "The practice of concealment through large amounts of code is one of the specific new features in Flame."

While Flame shares characteristics with malware like Stuxnet and Duqu, Kaspersky concluded that "Flame and Stuxnet/Duqu were probably developed by two separate groups." There are "some links which could indicate that the creators of Flame had access to technology used in the Stuxnet project." Then again, Flame authors could have used publicly available information about Stuxnet in crafting Flame.

"We would position Flame as a project running parallel to Stuxnet and Duqu," Gostev wrote.

Stuxnet is a powerful computer worm that spreads through Microsoft Windows but specifically targets Siemens supervisory control and data acquisition (SCADA) systems like those used to control the Iranian nuclear facility infrastructure plagued by the malware in 2010. Duqu, discovered in September, is thought by many security researchers to be virtually identical in origin and makeup to Stuxnet, though it appears to be tweaked to steal information from industrial control systems rather than damage them like its cousin.

In March, Symantec found that the group behind the Duqu Trojan appears to be still active, tweaking the modules for the information-stealing Trojan and targeting new victims. At the time, Kaspersky researchers also identified the Trojan had been written in Objective C, or OO C.